Tuesday, July 7, 2026 Archive

Archived Security Snapshot

Critical vulnerabilities, curated daily for security professionals

🎯 SSCV Profile

See how vulnerabilities affect your specific environment

CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework

Risk scores will be adjusted based on your selected environment

Archived Security Brief

Apache Camel dominates yesterday's disclosures with six critical vulnerabilities rated CVSS 9.1-9.8, including CVE-2026-46454, CVE-2026-48204, and CVE-2026-56140 affecting core components and the AWS2 SNS integration. In total, 35 critical CVEs were disclosed, up from 3 the prior day, alongside 86 high-priority CVEs, up from 20. Beyond the Camel cluster, Coollabsio Coolify carries two CVSS 9.9 flaws (CVE-2026-34037, CVE-2026-34038), and WordPress plugins are also affected, with WPFunnels (CVE-2026-14345, CVSS 9.8) and a file manager plugin family (CVE-2026-6382, CVSS 9.1) among the top issues. The pattern skews toward integration frameworks, self-hosted deployment platforms, and WordPress plugin ecosystems, with remote code execution and unauthorized access as the primary risks; one Microsoft SharePoint vulnerability (CVE-2026-45659) has confirmed active exploitation. Patch availability currently stands at 0% for this set, so teams should track vendor advisories closely and apply compensating controls where updates are not yet published.

  • Apache Camel accounts for six critical CVEs (CVSS 9.1-9.8), including CVE-2026-46454 and the AWS2 SNS component flaw CVE-2026-56140
  • 35 critical CVEs disclosed, a 1067% increase from the prior day's 3
  • 86 high-priority CVEs disclosed, a 330% increase from the prior day's 20
  • Coollabsio Coolify hit by two CVSS 9.9 vulnerabilities (CVE-2026-34037, CVE-2026-34038), continuing pressure on self-hosted deployment platforms
  • WordPress plugin exposure includes WPFunnels (CVE-2026-14345, CVSS 9.8) and multiple file manager plugins (CVE-2026-6382, CVSS 9.1)
  • Patch availability is 0% for this disclosure set; one SharePoint CVE (CVE-2026-45659) is actively exploited in the wild

Immediate action: Teams running Apache Camel, Coolify, or the affected WordPress plugins should inventory exposed instances now and monitor vendor advisories for fixes, prioritizing internet-facing integration endpoints. Organizations using Microsoft SharePoint should apply available mitigations for CVE-2026-45659 immediately given confirmed active exploitation. With patch availability at 0% for the broader set, apply compensating controls such as network restrictions and WAF rules until vendor updates ship.

How to read this brief

CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).

Exploitability — how hard the flaw is to attack, read from the CVSS vector:

  • Network / Adjacent / Local / Physical — how close an attacker must get. Network means reachable over the internet.
  • No / Low / High privileges — the access they need first. No privileges means no login required.
  • No interaction / User interaction — whether a victim has to do something (open a file, click a link). No interaction means fully automatable.

The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.

🔴 Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.

EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.

💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove

Section Navigation